Cybersecurity is one of the highest-demand, highest-paying, and fastest-growing fields in technology. The global cybersecurity workforce gap reached 4 million unfilled positions in 2026, salaries consistently outpace comparable IT roles, and the variety of career paths — from defending critical infrastructure to hunting bugs in AI systems — makes it one of the few fields where deep specialisation pays as well as management. There has never been a better time to enter this field.
The problem is not opportunity — it is clarity. Cybersecurity has dozens of roles, hundreds of certifications, and contradictory advice from every direction. This roadmap cuts through the noise. It covers the complete landscape of cybersecurity careers, the specific skills and certifications each path requires, realistic timelines, 2026 salary data for three regions, and a concrete 12-month action plan that works whether you are starting from zero or transitioning from another IT role.
- The cybersecurity career landscape — roles and paths
- Foundation skills every cybersecurity professional needs
- Path 1 — SOC Analyst (Blue Team)
- Path 2 — Penetration Tester (Red Team)
- Path 3 — Bug Bounty Hunter
- Path 4 — Cloud Security Engineer
- Path 5 — Application Security (AppSec)
- Certifications guide — which to get and in what order
- 2026 salary data — US, UK, and India
- 12-month action plan — from zero to job-ready
- Breaking in without a degree or IT background
- Frequently asked questions
Cybersecurity is not a single career — it is a field containing dozens of distinct roles that require very different skills, temperaments, and daily work patterns. Understanding the landscape before choosing a path prevents the most common mistake: picking a certification that leads to a role you will not enjoy.
The most common early question. The honest answer is that most professionals develop skills in both before specialising — but if you need to pick a starting direction:
- Choose blue team (SOC / defensive) if: you want the fastest path to employment, prefer structured work, like investigating and analysing rather than breaking things, and want a clear hire-date-to-paycheck timeline. SOC Analyst is the most consistently available entry-level security role worldwide.
- Choose red team (pentesting / bug bounty) if: you are comfortable with longer timelines before income, enjoy creative problem-solving, want to understand how attacks work at a deep level, and are self-directed enough to practise independently without a structured job telling you what to do.
- The practical path: Many professionals start in SOC (employed, paid, building skills) and transition to penetration testing after 2–3 years. SOC experience makes better pentesters because they understand what defenders see.
Regardless of which specialisation you choose, these foundational skills are required by all paths. Think of them as prerequisites — you build these first, then layer your specialisation on top.
Every attack and every defence involves the network. You need to understand TCP/IP at the packet level, not just conceptually. What happens when you type a URL? What does a TCP three-way handshake look like in Wireshark? How does DNS resolution work? Why does NAT matter for penetration testing? What is the difference between TCP and UDP and when does each matter for security?
- OSI model and TCP/IP stack — know every layer and its security implications
- IP addressing, subnetting, CIDR notation
- DNS, HTTP/S, FTP, SSH, SMB, SMTP — how each protocol works and its weaknesses
- Packet analysis with Wireshark — Wireshark tutorial →
- Port scanning and service enumeration with Nmap — Nmap tutorial →
Learn it: Professor Messer's CompTIA Network+ course (free on YouTube), the CompTIA Network+ SY0-901 study guide, and hands-on Wireshark analysis of your own home network traffic.
Every serious security tool runs on Linux. Kali Linux is built on Debian. Most servers run Linux. Most malware targets Linux. Being comfortable in the terminal — navigating the filesystem, managing processes, editing files, writing basic shell scripts — is non-negotiable.
- File system navigation: ls, cd, find, locate
- Text processing: grep, awk, sed, cut, sort, uniq
- User and permission management: chmod, chown, sudo, /etc/passwd
- Network tools: netstat, ss, curl, wget, nc
- Process management: ps, kill, top, cron
- Basic bash scripting — automate repetitive tasks
Learn it: The Linux command line book by William Shotts (free online at linuxcommand.org), OverTheWire Bandit wargame (free, teaches Linux through increasingly difficult challenges).
You do not need to be a software developer, but you need to read and modify code. Python is the language of cybersecurity — virtually every tool, every exploit script, every automation task uses Python. Knowing enough Python to modify existing scripts, write simple tools, and understand what code does is sufficient for most roles.
- Python — the most important. Learn: variables, loops, functions, file I/O, requests library (HTTP), socket library (network). Most security automation uses these.
- Bash scripting — for automating Linux tasks, chaining tools together, processing command output
- Basic web technologies — HTML, JavaScript, SQL. Understanding these is essential for web security work regardless of specialisation.
- Optional but valuable — PowerShell (Windows environments, Active Directory), Go (modern security tools are increasingly written in Go)
- Linux — user/group model, file permissions, systemd, common attack paths (SUID binaries, cron jobs, world-writable files, sudo misconfigurations)
- Windows — Active Directory fundamentals, registry, services, PowerShell, common attack paths (pass-the-hash, Kerberoasting, privilege escalation via misconfigurations)
- Virtual machines — set up your home lab, understand snapshots, host/guest networking. Home lab guide →
- CIA triad (Confidentiality, Integrity, Availability) and how security controls map to each
- Authentication vs authorisation, common weaknesses in each
- Encryption basics — symmetric vs asymmetric, TLS/SSL, hashing, common algorithms
- Common vulnerability classes — OWASP Top 10, CVE system, CVSS scoring
- Firewalls, IDS/IPS, SIEM — what they do and their limitations
SOC Analysts monitor security alerts from SIEMs, investigate potential incidents, triage alerts to separate real threats from false positives, and escalate confirmed incidents for response. Tier 1 handles initial alert triage — the highest volume, lowest complexity work. Tier 2 investigates escalated alerts in depth. Tier 3 handles advanced threat hunting and complex incident response.
SOC is the most reliably available entry-level security role. Companies of all sizes need SOC coverage. 24/7 shift work is common at large SOCs, which creates consistent hiring demand. The role builds the defensive knowledge that makes excellent pentesters later — you learn what the other side sees.
- SIEM platforms — Splunk (most demanded), Microsoft Sentinel, IBM QRadar. Learn Splunk's SPL query language. Free Splunk training at splunk.com/education.
- Log analysis — Windows Event logs, Linux syslogs, firewall logs, web server logs. Know which Event IDs matter (4624 logon, 4625 failed logon, 4688 process creation).
- Network traffic analysis — Wireshark, Zeek, Suricata. Identify anomalous patterns, C2 beaconing, lateral movement in packet captures.
- Threat intelligence — MITRE ATT&CK framework (memorise the main tactics), IOC analysis, malware sandboxing with Any.run or Cuckoo.
- Incident response — NIST IR lifecycle, evidence preservation, containment procedures, basic forensics with Autopsy and Volatility.
- Ticketing and documentation — Jira, ServiceNow. SOC work is heavily documentation-focused — clear, accurate incident tickets are a core deliverable.
- TryHackMe — SOC Level 1 and SOC Level 2 learning paths (free tier available)
- LetsDefend — free SOC analyst simulator with realistic alert investigation exercises
- Blue Team Labs Online — free DFIR and SOC challenges
- MITRE ATT&CK framework — read every technique in the Initial Access and Execution tactics
- HOC guide: How to become a SOC analyst →
Penetration testers (also called ethical hackers) are hired to attack systems with permission — finding vulnerabilities across web applications, networks, Active Directory environments, mobile apps, and cloud infrastructure before real attackers find them. The work involves scoping engagements with clients, performing systematic testing across all target surfaces, and writing detailed reports with actionable remediation advice.
Entry-level penetration testing jobs are less available than SOC roles but pay significantly better and offer more varied, creative work. The OSCP certification is the gold standard for junior pentester hiring and is the clearest signal to employers that you have practical offensive skills.
- Web application testing — OWASP Top 10, Burp Suite, manual SQLi and XSS, authentication attacks. Burp Suite guide →
- Network penetration testing — Nmap, service enumeration, exploiting network services, password attacks, lateral movement
- Active Directory attacks — Kerberoasting, Pass-the-Hash, DCSync, BloodHound, common misconfigurations. This is tested in OSCP and in demand in enterprise pentesting.
- Post-exploitation — Metasploit framework, Meterpreter, privilege escalation on Windows and Linux, persistence, pivoting
- Report writing — clear vulnerability descriptions, reproduction steps, CVSS scoring, business impact narrative, remediation recommendations. Pentesting methodology →
- HackTheBox — Realistic machines, Pro Labs for enterprise environment simulation. Complete 20 retired machines before attempting OSCP.
- TryHackMe — Guided learning paths, "Jr Penetration Tester" path is excellent OSCP preparation
- Your home lab — Metasploitable, VulnHub machines, Windows lab with Active Directory. Home lab guide →
- PortSwigger Web Security Academy — Gold standard for web application testing — 100% free
Bug bounty hunting is independent vulnerability research against company programmes that pay for valid security findings. No employer, no office, fully remote, purely merit-based income. It is the most accessible entry point into offensive security — you can start today with a free HackerOne account and a laptop.
It is also highly competitive. The top 1% of researchers earn the vast majority of payouts. Most beginners earn inconsistently for their first year. Treat it as a skill-building investment and income supplement initially, not a primary income source immediately.
- Focus on IDOR, broken access control, information disclosure, and XSS first — these are the most common beginner findings
- Target newer programmes with less competition — not the major tech companies where every accessible bug has been found
- Read 50+ public HackerOne disclosed reports before hunting — learn the patterns
- HOC complete guide: Bug bounty guide for beginners →
Cloud security is the highest-compensated segment of cybersecurity in 2026. Every enterprise is running workloads on AWS, Azure, or GCP — and most have significant security gaps in their cloud configurations. Cloud security engineers design and implement security controls for cloud environments, perform cloud penetration testing, assess IAM configurations, find and fix cloud misconfigurations, and ensure compliance with cloud security frameworks.
The fastest path: get a cloud engineering foundation (AWS Solutions Architect Associate or equivalent), then layer security on top. The combination of cloud operations knowledge and security skills is rarer and more valuable than security alone.
AppSec engineers work within software development teams to find and prevent security vulnerabilities in code before it ships. The work combines manual code review, SAST (Static Application Security Testing) tool integration, DAST (Dynamic Application Security Testing), security architecture review, and developer education. If you have a software development background, AppSec is the highest-paying and most direct transition into security.
- Learn secure coding standards for at least one language (Python, Java, JavaScript/Node.js)
- Understand how OWASP Top 10 vulnerabilities manifest at the code level
- Learn SAST tools: Semgrep (free), SonarQube, Checkmarx, Veracode
- Learn DAST tools: OWASP ZAP (free), Burp Suite Pro
- Understand CI/CD pipelines — Jenkins, GitHub Actions, GitLab CI — and how to embed security gates
- Learn threat modelling — STRIDE, PASTA frameworks
Certifications matter in cybersecurity — they signal competence to HR systems, satisfy compliance requirements (many organisations mandate Security+ for all security staff), and provide structured learning paths. But the wrong certification is a waste of time and money. Here is exactly what to get and when.
| Certification | Provider | Who it's for | Cost | Exam format | Recommended timing |
|---|---|---|---|---|---|
| CompTIA Security+ | CompTIA | Everyone — universal baseline, required by many employers, DoD 8570 compliant | ~$400 | 90 MCQ + performance-based, 90 min | First cert for everyone. Study 2–3 months. |
| CompTIA Network+ | CompTIA | Anyone without networking background — study before Security+ | ~$350 | 90 MCQ, 90 min | Before Security+ if networking is weak |
| eJPT | eLearnSecurity | Aspiring pentesters — practical exam, affordable, beginner-friendly | $200 | Practical exam — 35+ flags, 3 days | After Security+, before OSCP |
| CompTIA CySA+ | CompTIA | SOC analysts — threat detection, analysis, response focus | ~$400 | 85 MCQ + performance-based | After Security+, pursuing SOC path |
| OSCP | OffSec | Pentesters — the gold standard. Required by most senior pentest roles. | $1,499 (90 days lab) | 24-hour practical + 24-hour report | After 6+ months HackTheBox/TryHackMe |
| CEH | EC-Council | Government/compliance contexts — frequently listed in DoD job requirements | ~$1,100 | 125 MCQ, 4 hours | After Security+, if government roles targeted |
| AWS Security Specialty | Amazon | Cloud security engineers | $300 | 65 MCQ, 170 min | After AWS SAA + 2 years cloud experience |
| GIAC GCIH | SANS | Incident responders, senior SOC analysts | ~$2,500–$7,000 | 106 MCQ, open book | 2–3 years experience, senior SOC path |
| CISSP | ISC2 | Security managers and architects — management role progression | ~$700 | 125–175 adaptive, 4 hours | 5+ years experience, management track |
| CISM / CISA | ISACA | GRC, audit, risk management — non-technical security roles | ~$760 members | 150 MCQ, 4 hours | 3–5 years experience, GRC/audit track |
| Role | Level | USA (annual) | UK (annual) | India (LPA) |
|---|---|---|---|---|
| SOC Analyst Tier 1 | Entry | $52,000–$72,000 | £28,000–£40,000 | ₹4–8 LPA |
| SOC Analyst Tier 2 | Mid | $70,000–$100,000 | £40,000–£65,000 | ₹8–15 LPA |
| SOC Analyst Tier 3 / Lead | Senior | $95,000–$140,000 | £60,000–£90,000 | ₹15–28 LPA |
| Junior Penetration Tester | Entry | $70,000–$95,000 | £40,000–£55,000 | ₹6–12 LPA |
| Senior Penetration Tester | Senior | $120,000–$175,000 | £65,000–£100,000 | ₹18–40 LPA |
| Red Team Lead | Senior | $150,000–$220,000 | £80,000–£130,000 | ₹30–60 LPA |
| Cloud Security Engineer | Mid | $110,000–$160,000 | £65,000–£100,000 | ₹20–40 LPA |
| Senior Cloud Security Engineer | Senior | $160,000–$240,000 | £90,000–£140,000 | ₹40–80 LPA |
| AppSec Engineer | Mid | $110,000–$155,000 | £65,000–£95,000 | ₹18–38 LPA |
| AI / LLM Security Researcher | Mid–Senior | $140,000–$280,000 | £80,000–£160,000 | ₹30–80 LPA |
| CISO | Executive | $200,000–$500,000+ | £120,000–£300,000 | ₹80–200 LPA |
This plan assumes a SOC Analyst target as the first job — the most available entry-level security role. Adjust months 7–12 based on your chosen specialisation.
- Complete Professor Messer's Network+ course (free on YouTube) — watch all modules, take notes
- Set up your home lab: VirtualBox + Kali Linux + Metasploitable 2. Home lab guide →
- Complete OverTheWire Bandit (levels 0–20) — hands-on Linux command line
- Start TryHackMe — complete the "Pre-Security" learning path (free)
- Read: "The Web Application Hacker's Handbook" or equivalent — understand how web applications work
- Study CompTIA Security+ SY0-701 — Professor Messer (free), Jason Dion's Udemy course ($15), or Mike Chapple's official study guide
- Use Darril Gibson's Security+ practice exams — aim for 85%+ before the real exam
- Book and pass Security+. Budget $400 for the exam.
- Continue TryHackMe — "Jr Penetration Tester" or "SOC Level 1" path depending on your target
- Set up LinkedIn: professional photo, cybersecurity headline, add your home lab and TryHackMe progress
- Complete all DVWA modules at Low and Medium — SQLi, XSS, file upload, command injection, CSRF. Home lab guide →
- Complete PortSwigger Web Security Academy — SQLi and XSS learning paths (free). XSS tutorial → | SQL injection tutorial →
- Root your first VulnHub machine (Kioptrix Level 1) — document everything in a writeup
- Learn Splunk — complete the free Splunk Fundamentals 1 course on splunk.com
- Start a writeup blog (GitHub Pages or Medium) — document every lab exercise. This becomes your portfolio.
- SOC path: Complete TryHackMe SOC Level 1 path, study CySA+ (CompTIA CySA+), complete 10 LetsDefend alert investigation labs
- Pentest path: Complete 10 HackTheBox retired machines, start PortSwigger Advanced Topics, learn Active Directory basics
- Bug bounty path: Create HackerOne account, read 50 disclosed reports, choose first programme, submit first 5 reports regardless of outcome. Bug bounty guide →
- Cloud path: Start AWS Certified Solutions Architect — Associate study (Adrian Cantrill's course is outstanding)
- Apply for 5–10 entry-level positions even if not "ready" — job applications are research. Learn what employers actually ask for.
- Complete your portfolio: 5+ writeups documenting labs, 1 home lab architecture writeup, any bug bounty findings (even invalid ones show you're actively hunting)
- GitHub profile: push all scripts, tools, and notes from your learning — recruiters look at GitHub activity graphs
- Target 30+ applications per month — use LinkedIn Easy Apply, Indeed, Dice (US), CWJobs (UK), Naukri (India)
- Join cybersecurity communities: HOC Discord, TryHackMe Discord, r/netsec, local OWASP chapter meetings
- Apply for apprenticeships — Google Cybersecurity Certificate → entry programs, Microsoft LEAP, Amazon apprenticeship programs often accept non-traditional backgrounds
- Study common interview questions by role — SOC: "Walk me through your incident response process", Pentest: "How do you approach a web application test?"
- Practice technical questions: describe the TCP handshake, explain SQL injection, walk through a phishing investigation — out loud, not just in your head
- Prepare your story: why cybersecurity, what you've built, what you've learned, where you're going. Rehearse it until it flows naturally.
- Negotiate offers: entry-level cybersecurity salaries are negotiable. Research market rates on levels.fyi, Glassdoor, and LinkedIn Salary. Ask for 10–15% above initial offer.
- If no offer by month 12: reassess — is it skills, applications, portfolio, or interview performance? Get feedback, adjust, continue. Most successful career changers report 9–18 months to first offer.
Cybersecurity is one of the most credential-flexible fields in technology. An estimated 40% of professionals working in security did not study IT or computer science — they came from law enforcement, military, finance, healthcare, and completely unrelated fields. What matters is demonstrable skill, not where you learned it.
⚡ Start your cybersecurity career today
- Pick your path from Section 3–7 and commit to it for at least 12 months. The biggest mistake is switching paths every 3 months when progress feels slow. Depth in one path beats shallow knowledge of five.
- Build your home lab this weekend — it costs nothing and is the most important hands-on learning environment you will have. Home lab setup guide →
- Start TryHackMe today — create a free account, join the Pre-Security or SOC Level 1 path, and do one room per day. Consistency matters more than speed. tryhackme.com
- Study for Security+ — the universal entry credential. Professor Messer's free course on YouTube covers everything. Three months of evening study is realistic.
- Master the core tools for your path: Burp Suite → Burp tutorial → | Nmap → Nmap tutorial → | Wireshark → Wireshark tutorial →
- Learn web vulnerabilities — most entry security roles involve web application security. XSS tutorial → | SQL injection tutorial →
Most people transitioning into cybersecurity from scratch report 9–18 months to their first job offer with consistent daily effort. The 12-month action plan in this article is realistic for someone dedicating 2–3 hours daily. Timeline accelerators: SOC roles hire faster than pentesting roles, a related IT background shortens the timeline, and having a visible portfolio (writeup blog, GitHub, TryHackMe rank) significantly increases interview invitation rates.
No — cybersecurity is one of the most skill-based fields in technology. Many employers accept relevant certifications (Security+, OSCP) in place of a degree for technical roles. Government and intelligence agency positions sometimes require degrees for clearances. The practical path: Security+ certification, a hands-on portfolio (writeups, home lab, TryHackMe rank), and demonstrable skills consistently outperforms a CS degree with no hands-on security work in technical role hiring processes.
CompTIA Security+ SY0-701 is the universal answer for almost everyone. It is DoD 8570 compliant (required for US government contractor roles), recognised by virtually every employer, covers all foundational security domains, and costs around $400. Study time is 2–3 months. If your networking knowledge is weak, study CompTIA Network+ first (or concurrently). After Security+, your next cert depends on your chosen path: CySA+ for SOC, eJPT then OSCP for pentesting, AWS SAA then AWS Security Specialty for cloud.
Yes — it is the best entry point for most people in 2026. SOC Tier 1 roles are consistently available, hire without prior security experience (just Security+ and demonstrable interest), provide structured training, expose you to real threats and real security tooling, and build the defensive knowledge that makes you a more effective offensive security practitioner later. The shift work and repetitive nature of Tier 1 are real downsides, but most professionals spend 1–2 years in SOC before transitioning to higher-specialisation roles.
Yes — OSCP remains the gold standard certification for penetration testers. It is a 24-hour practical exam that requires you to compromise machines in a live environment and write a professional report. This format means it is very hard to pass without genuinely having the skills — which is why employers trust it. The cost ($1,499 for 90 days lab access) is significant, but most penetration testing job postings list OSCP as preferred or required. Prepare for 3–6 months: complete 30+ HackTheBox machines, the TryHackMe Jr Penetration Tester path, and the official PEN-200 course material before sitting the exam.
In 2026, AI Security Research and Cloud Security Engineering are the highest-compensated technical roles, with senior positions at major tech companies reaching $200,000–$400,000+ in total compensation. Among more accessible paths, senior penetration testers and senior cloud security engineers earn $150,000–$250,000 in the US. The CISO track eventually reaches $200,000–$500,000 but requires 10–15 years of progressive experience. All paths offer strong compensation relative to comparable IT roles — the specific numbers matter less than choosing a path you are genuinely interested in, because sustained performance over years is what produces high earnings.
A SOC analyst is a defender who monitors systems for signs of attacks, investigates alerts, and responds to incidents — reactive work focused on detecting what is already happening. A penetration tester is an attacker-for-hire who proactively searches for vulnerabilities before real attackers find them — offensive work focused on finding weaknesses before they are exploited. SOC is blue team (defensive); penetration testing is red team (offensive). Both are essential, well-compensated, and increasingly the best security professionals have experience in both sides of the discipline.